Hi stephan, As you suggested i tried to connect freeradous to active directory. Freeradius is able to join the active directory and below command also succeeded. radtest -t mschap <user> <password> localhost 0 <sharedsecret> But station failed to connect to AP. I got the below error on freeradius: EAP-FAST: Add EAP-Payload TLV EAP-FAST: Encrypting Phase 2 TLVs - hexdump(len=9): [REMOVED] EAP-FAST: Piggyback Phase 2 data (len=74) with last Phase 1 Message (len=59 used=0) SSL: Generating Request SSL: Sending out 133 bytes (message sent completely) EAP: EAP entering state SEND_REQUEST EAP: EAP entering state IDLE EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0) Wed Sep 17 12:06:41 2014 : Debug: ==> Request Wed Sep 17 12:06:41 2014 : Info: ++[eap2] = handled Wed Sep 17 12:06:41 2014 : Info: +} # group EAP = handled Sending Access-Challenge of id 0 to 10.10.2.21 port 32769 EAP-Message = 0x0103008b2b011403010001011603010030ecbaeb0cb34edb4b5a2ba664ee29b3bc10415f193eea62b87aec7010764b27c9214f353e257ba45d088db01395af31921703010020553bf7bacca0e0deaaab76ced600289fa3cfd5e554f12194366f6daebb9457461703010020bfa25876dc10a3be2823cc57da70dacc00ba36be10cac7d3fab63abc9568da76 State = 0x168e1d8b4946cac447e29a10af5f74ab Message-Authenticator = 0x00000000000000000000000000000000 Wed Sep 17 12:06:41 2014 : Info: Finished request 2. Wed Sep 17 12:06:41 2014 : Debug: Going to the next request Wed Sep 17 12:06:41 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.2.21 port 32769, id=0, length=198 Wed Sep 17 12:06:41 2014 : Info: Cleaning up request 2 ID 0 with timestamp +4 User-Name = "Administrator" NAS-IP-Address = 10.10.2.21 Called-Station-Id = "00904c0dc3c0" Calling-Station-Id = "b0df3a213196" NAS-Identifier = "00904c0dc3c0" NAS-Port = 6 Framed-MTU = 1400 State = 0x168e1d8b4946cac447e29a10af5f74ab NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203003b2b01170301003095d9ea11cd8534ccc15833857d3abf3d4cde7bcfd6452e90a6376d38a1fbca5cd8866df13873ced31bcddb01b763a05a Message-Authenticator = 0x8436f303447ef2fb778d130a29cde1fe Wed Sep 17 12:06:41 2014 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Wed Sep 17 12:06:41 2014 : Info: +group authorize { Wed Sep 17 12:06:41 2014 : Info: ++[preprocess] = ok Wed Sep 17 12:06:41 2014 : Info: ++[chap] = noop Wed Sep 17 12:06:41 2014 : Info: ++[mschap] = noop Wed Sep 17 12:06:41 2014 : Info: ++[digest] = noop Wed Sep 17 12:06:41 2014 : Info: [suffix] No '@' in User-Name = "Administrator", looking up realm NULL Wed Sep 17 12:06:41 2014 : Info: [suffix] No such realm "NULL" Wed Sep 17 12:06:41 2014 : Info: ++[suffix] = noop Wed Sep 17 12:06:41 2014 : Info: [eap] EAP packet type response id 3 length 59 Wed Sep 17 12:06:41 2014 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Sep 17 12:06:41 2014 : Info: ++[eap] = updated Wed Sep 17 12:06:41 2014 : Info: [files] users: Matched entry DEFAULT at line 1 Wed Sep 17 12:06:41 2014 : Info: ++[files] = ok Wed Sep 17 12:06:41 2014 : Info: ++[expiration] = noop Wed Sep 17 12:06:41 2014 : Info: ++[logintime] = noop Wed Sep 17 12:06:41 2014 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Sep 17 12:06:41 2014 : Info: ++[pap] = noop Wed Sep 17 12:06:41 2014 : Info: +} # group authorize = updated Wed Sep 17 12:06:41 2014 : Info: Found Auth-Type = EAP Wed Sep 17 12:06:41 2014 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Wed Sep 17 12:06:41 2014 : Info: +group EAP { Wed Sep 17 12:06:41 2014 : Info: [eap2] Request found, released from the list EAP: EAP entering state RECEIVED EAP: parseEapResp: rxResp=1 respId=3 respMethod=43 respVendor=0 respVendorMethod=0 EAP: EAP entering state INTEGRITY_CHECK EAP: EAP entering state METHOD_RESPONSE SSL: Received packet(len=59) - Flags 0x01 SSL: Received packet: Flags 0x1 Message Length 0 EAP-FAST: Received 53 bytes encrypted data for Phase 2 EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=22): [REMOVED] EAP-FAST: Received Phase 2: TLV type 9 length 18 (mandatory) EAP-FAST: EAP-Payload TLV - hexdump(len=18): 02 03 00 12 01 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 EAP-FAST: Received Phase 2: code=2 identifier=3 length=18 EAP-Identity: Peer identity - hexdump_ascii(len=13): 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 Administrator EAP-FAST: PHASE2_ID -> PHASE2_METHOD EAP-FAST: try EAP type 26 EAP: EAP entering state METHOD_REQUEST EAP: building EAP-Request: Identifier 4 EAP-MSCHAPV2: Challenge - hexdump(len=16): 3f 59 4c c5 b1 d1 bc 71 62 df c1 49 70 6a 03 b7 EAP-FAST: Phase 2 EAP-Request - hexdump(len=33): [REMOVED] EAP-FAST: Add EAP-Payload TLV EAP-FAST: Encrypting Phase 2 TLVs - hexdump(len=37): [REMOVED] SSL: Generating Request SSL: Sending out 106 bytes (message sent completely) EAP: EAP entering state SEND_REQUEST EAP: EAP entering state IDLE EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0) Wed Sep 17 12:06:41 2014 : Debug: ==> Request Wed Sep 17 12:06:41 2014 : Info: ++[eap2] = handled Wed Sep 17 12:06:41 2014 : Info: +} # group EAP = handled Sending Access-Challenge of id 0 to 10.10.2.21 port 32769 EAP-Message = 0x010400702b011703010020e4317e67f52197b376755f279b5e6623bba4be4333673a365d6162ddb21e5ba8170301004034291c01a1da6602565ad1e7ed03b4dd5f7a0f12d7f081fbd12e2fffdb304e1c5294279384159b5c2d8d003b3ef0dbfb15cf87af4db208b7259979816ada26c3 State = 0x9dd8b50daabbda5628fd760dd6fc5d4c Message-Authenticator = 0x00000000000000000000000000000000 Wed Sep 17 12:06:41 2014 : Info: Finished request 3. Wed Sep 17 12:06:41 2014 : Debug: Going to the next request Wed Sep 17 12:06:41 2014 : Debug: Waking up in 4.9 seconds. Wed Sep 17 12:06:46 2014 : Info: Cleaning up request 3 ID 0 with timestamp +4 Wed Sep 17 12:06:46 2014 : Info: Ready to process requests. Please find the attached complete console log for freeradius. Please help me to make it work. Regards Ammu On Fri, Aug 8, 2014 at 3:30 PM, < freeradius-devel-request@lists.freeradius.org> wrote:
Send Freeradius-Devel mailing list submissions to freeradius-devel@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-devel or, via email, send a message with subject or body 'help' to freeradius-devel-request@lists.freeradius.org
You can reach the person managing the list at freeradius-devel-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Devel digest..."
Today's Topics:
1. RE: EAP-FAST phase2 failed (Stefan Paetow)
----------------------------------------------------------------------
Message: 1 Date: Thu, 7 Aug 2014 21:25:46 +0000 From: Stefan Paetow <Stefan.Paetow@ja.net> To: FreeRadius developers mailing list <freeradius-devel@lists.freeradius.org> Subject: RE: EAP-FAST phase2 failed Message-ID: <C072996E0B81144DBB9426B44462540C0D6935BF@EXC001> Content-Type: text/plain; charset="iso-8859-1"
The log says this:
EAP-MSCHAPV2: eap_server Password not configured EAP-FAST: Phase2 method failed EAP-FAST: PHASE2_METHOD -> FAILURE
Leads me to believe you either need to configure EAP-FAST to use EAP-GTC or PAP as the second phase, or connect FR to SAMBA or Active Directory (which both speak MSCHAPv2).
Stefan
________________________________ From: freeradius-devel-bounces+stefan.paetow=ja.net@lists.freeradius.org [freeradius-devel-bounces+stefan.paetow=ja.net@lists.freeradius.org] on behalf of Ammu Argh [ammu3634@gmail.com] Sent: 07 August 2014 17:16 To: freeradius-devel@lists.freeradius.org Subject: EAP-FAST phase2 failed
Hi,
I was trying to connect to AP using EAP-FAST authentication. But Freeradius EAP-FAST failed with below error:
State = 0x97d5bb340dc1cb0c525e6b44738f3553 Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 107 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 202 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group EAP { [eap2] Request found, released from the list EAP: EAP entering state RECEIVED EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0 respVendorMethod=0 EAP: EAP entering state INTEGRITY_CHECK EAP: EAP entering state METHOD_RESPONSE SSL: Received packet(len=107) - Flags 0x01 SSL: Received packet: Flags 0x1 Message Length 0 EAP-FAST: Received 101 bytes encrypted data for Phase 2 EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED] EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory) EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77 69 66 69 EAP-FAST: Received Phase 2: code=2 identifier=4 length=63 EAP-MSCHAPV2: eap_server Password not configured EAP-FAST: Phase2 method failed EAP-FAST: PHASE2_METHOD -> FAILURE EAP: EAP entering state SELECT_ACTION EAP: getDecision: method failed -> FAILURE EAP: EAP entering state FAILURE EAP: Building EAP-Failure (id=4) ==> Fail [eap2] Freeing handler EAP: Server state machine removed ++[eap2] = reject +} # group EAP = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 117 to 10.10.2.2 port 46531 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds.
Other details are as below"
Users file" wifi Auth-Type := EAP, Cleartext-Password := "welcome123"
eap.conf eap2 { fast { pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f eap_fast_a_id = tjsys eap_fast_a_id_info = my_server eap_fast_prov = 3 pac_key_lifetime = 604800 # 7 days pac_key_refresh_tim = 86400 }
tls { ca_cert = /usr/local/etc/raddb/certs/ca.pem server_cert = /usr/local/etc/raddb/certs/server.pem private_key_file = /usr/local/etc/raddb/certs/server.key private_key_password = whatever dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random } }
Sites-enabled/default: Added in authenticate block Auth-Type EAP { eap2 }
wpa_supplicant.conf update_config=1 ap_scan=1 fast_reauth=1
network={ ssid="WiFi-11g" key_mgmt=WPA-EAP proto=WPA pairwise=TKIP group=TKIP eap=FAST anonymous_identity="fast" identity="fast" password="koro" phase1="fast_provisioning=3" pac_file="/data/misc/wifi/eap_fast.pac" }
FreeRADIUS Version 2.2.5, OpenSSL 1.0.1e 11 Ubuntu 14.04.1
Please help me to get it work.
Regards Ammu
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
End of Freeradius-Devel Digest, Vol 112, Issue 6 ************************************************